A new, critical bug in Adobe’s Flash Player is giving some attackers a back door into victims computers, Adobe warned late Friday.
The bug affects Adobe Flash Player version 10.0.45.2 and earlier on all operating systems, including Windows, Macintosh and Linux. It is also found in the latest versions of the widely used Reader and Acrobat software, Adobe said. “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat,” Adobe said in its security advisory.
When exploited, the flaw can cause Adobe’s software to crash, but it can also give attackers control of the computer, Adobe said.
The attacks are not yet widespread. Adobe has so far received two reports of online attacks. The first one came in at 10:30 a.m. Pacific on Friday, according to company spokeswoman Wiebke Lips.
Trend Micro Researcher Paul Ferguson agreed that the attack is new, and does not appear to be widely used. “It may just be ramping up,” he cautioned via instant message. “I just haven’t seen anything so far.”
Versions 8 of Adobe Reader and Acrobat are not vulnerable to the attack, Adobe said.
Adobe’s free Reader software has become a favorite hacker target in the past few years. Attacks that involve malicious PDF files now make up about nearly 50 percent of all Web-based attacks, according to Symantec.